[Security] Remove plaintext password logging from VP FTP server

  FTP PASS commands were logged with the plaintext password visible in
  log files. Since support packages include logs and are shared publicly
  on GitHub issues, this exposed user access codes. Now redacted as
  PASS ********.

CHANGELOG.md

@@ -24,7 +24,7 @@ All notable changes to Bambuddy will be documented in this file.
 - **Reformatted AMS Drying Presets Table** ([#732](https://github.com/maziggy/bambuddy/issues/732)) — The drying presets table in Settings now groups columns by AMS type (AMS 2 Pro, AMS-HT) with inline °C and h unit labels next to each input, replacing the previous flat column layout. Requested by @cadtoolbox.
 
 ### Security
-
+- **Fixed Virtual Printer FTP server logging passwords in plaintext — now redacted**
 
 ## [0.2.2] - 2026-03-16
 

backend/app/services/virtual_printer/ftp_server.py

@@ -96,7 +96,11 @@ class FTPSession:
                 if not command_line:
                     continue
 
-                logger.info("FTP <- %s: %s", self.remote_ip, command_line)
+                # Never log passwords
+                if command_line.upper().startswith("PASS"):
+                    logger.info("FTP <- %s: PASS ********", self.remote_ip)
+                else:
+                    logger.info("FTP <- %s: %s", self.remote_ip, command_line)
 
                 # Parse command and argument
                 parts = command_line.split(" ", 1)